Si Biles, co-host of the Forensic Focus podcast, reviews DEI PRO, ADF Solution’s automated digital forensic tool to collect files and artifacts and present the evidence in a timeline view.
As part of reviewing Digital Evidence Investigator PRO (DEI PRO), ADF Solutions was good enough to send me a full DEI PRO Field Tablet kit, to make sure I enjoyed the full experience and the correct hardware. The one that I received came packed in one of the excellent “Peli” cases[1] filled with perfectly cut packing foam to cosset the enclosed equipment. The tablet can be dropped from four feet, will operate in the temperature range from -28°C to 62°C and is protected against dust (completely) and water (low pressure water jets from any angle). It’s a smart choice for the use case and has all the quality that you’d expect because of it.[2]
Before the equipment arrived, I was gratified to have a live demo with Ailsa Slack to take me through the product. She helped me out with understanding the scope within which they’re comfortable operating, and I’d have to agree (with some small caveats) that DEI PRO is certainly one of the best automated digital forensic tools I’ve seen.
In the collection of mobile devices they’re very quick (actually _very_ quick, I was quite surprised)[3], but they recognise that these acquisitions are limited to those where there is “legitimate access” – they’re not cracking or exploiting devices. This is not a bad thing – especially in the UK where RIPA allows (enforces!) the request of access to a device backed up by the courts – but one to note, this is not the tool for you if this is what you need. What it is really good for is the quick triage of the device (especially in this field kit form) on site to allow for a reasonable strategy for further investigation.
That’s not to say that as a “triage tool” the findings that it pulls out are not admissible, merely that the role is not the same as an “in depth” examination. Everything is forensically sound with all of the checks, balances and controls that you’d expect from any tool being leveraged by law enforcement. ADF DEI PRO (as software) is every bit as capable as any other tool for doing that more “in depth” examination – just in the form factor of the field tablet, this feels and behaves like an on-scene triage tool. The interface is very easy to use from the touch screen, and I never even resorted to the supplied bluetooth keyboard and mouse – obviously, in a lab with a desktop this would be different, but the layout is clear, clean and easy to navigate wither way.
Figure 2: The Mobile Investigation “Home Screen”
Acquisition is straight forward – follow the on-screen instructions and all will be well. If you’re a muppet like me, and don’t follow the on-screen instructions, it can be a little confusing. There is the absence of a “Cancel” or “Back” button during the process which, given that it wasn’t going anywhere through my error, rather than its, was slightly frustrating at the time. It is one of those things that you notice only because you’ve messed up and when doing things right, is entirely superfluous – but still it was a pain to exit out of the application in order to find my error by repeating the steps (this time, correctly).
Figure 3: Simple, clear instructions nearly anyone (except me) could follow.
Examination of the device in real time is also a possibility – and you don’t have to wait for the acquisition to finish first either – on both Android and Apple[4] this comes with the capability to record video and screenshots of the onscreen actions on the device and you can use either the device itself or interact with it through the application interface. This is a really nice feature that beats hands down a large amount of “shaky cam” footage I’ve seen captured in other cases where a video recording device held by an examiner is used to capture the screen. As there are a number of applications that can’t easily be captured in other ways, screen recording is a wonderful way to capture a forensically sound copy.
Figure 4: Screen Recording and Screenshots
There are a number of pre-defined “Search Profiles” that you can run against your target. These contain a good range of choices – there is a bias towards those with a title of “Child Exploitation” (perhaps ADF showing on their sleeve there what they see as a significant use case) but the reality is that the level (“Quick”, “Intermediate” and “Comprehensive”) and content of examinations are appropriate for a far wider range than that, and, more to the point, if you’d rather that your “Search Profile” was called or contained something specific, then you’re welcome to change them or create your own.
Figure 5: Sample of some of the “Search Profiles”
The scans are comprehensive for both computers and mobiles and include features such as a “categorisation tool” that attempts to automatically identify certain types of content (e.g. IIoC, Pornography, Bestiality etc.) – as I have found with pretty much every automated tool that attempts this that I’ve ever come across, your mileage may vary. You can adjust the thresholds in order to be more or less strict in adherence to the defined category, but manual review is still a necessary component. Unfairly in my test device (seeing as my phone isn’t loaded up with illicit material) all I can really comment on is false positives rather than anything else. Therefore, I think that it’s fair that I say that “in the real world” I’d much rather see false positives than false negatives if it’s being used as a triage tool, and I’d say that it (in default setup) errs in the right direction. The categorisation works across both stills and video, and the video processing extracts (as a configurable option) frames from the media.
Figure 6: My “Pornographic” onion joke. False positives are fine.
Figure 7: Extracted frames from video.
Figure 8: General Image Browsing
All the usual suspects are there for both computer and mobile analysis – timelines, keyword searching, browser history etc. and it’s quite happy with MacOS, Windows and Linux on the “real computer” side of things, recognising and decoding all manner of partition types and system data.
Figure 9: Timeline
Figure 10: Keywords
On the computer side though, there is another trick up the ADF sleeve – the ability to create pre-configured “Collection Keys”. This allows for the in-app creation of bootable USB media that allows for the acquisition of a device (that can be booted from USB of course …) coupled with a drive for the image to be collected to this allows for acquisition of Windows, Linux and yes, MacOS even on Apple silicon.
Figure 11: Preparing a “Collection Key”
Overall, I have to say that I really enjoyed my time with the ADF Field Tablet and DEI PRO – it felt like a good match, was astonishingly performant for something which apparently only has 8GB of RAM in it, and was easy to use and navigate. The tools appear comprehensive – although I will say that, even in a long term test like this there are only so many “test scenarios” that one can concoct to test with – and I didn’t find anything lacking. Where I feel that the product excels is in the screen recording and image capture. If this were to be used for the collection of all evidence in the mobile phone cases that I get to review, I would be exceedingly happy with no more out of focus shaky mobile footage of examinations! On top of all this, if you feel so inclined, you can do your work in the shower – a great product.
Request your free ADF Forensic Evaluation License, offering qualified organizations a full-featured trial of ADF’s digital forensic software, at TryADF.com.
[1] Oh, I so love a good Peli case – they’re nigh on indestructible in my experience. I’ve got one for my write blocker kit and it really has taken a beating over many years and shrugged it off.
[2] The Field Tablet kit includes, according to the website:
- Dell Latitude 7220 Rugged licensed with Digital Evidence Investigator® PRO Software and with Intel® i5 Core™, 8GB RAM, M.2 256GB SSD, and PRO Boot Dongle
- 500GB External SSD Collection Drive
- USB cables for iOS USB cables for Android
- 4 Port USB Hub
- PelicanTM case
[3] Marketing material claims “Advanced logical acquisition of iOS/Android data up to 4GB per minute” and that seems plausible to me.
[4] This feature for Apple is new as of May this year (23)
